Don’t Miss Wade Lance at Black Hat USA 2026
Catch Me If You Can: One Certificate, Hundreds of Hidden Proxies, and the Attribution Trap Inside a Bulletproof Relay Fleet
How One Reused Certificate Exposed a 10-Country Bulletproof Relay Fleet — and Signaled Active Use by Threat Actors.
One throwaway self-signed certificate, reused byte-for-byte across hundreds of hosts, became the pivot that unspooled CanOworms — a large bulletproof proxy-and-VPN relay fleet-for-hire. SecurityScorecard's STRIKE Threat Intelligence team clusters the fleet by certificate and TLS-stack fingerprints across internet-wide scan data, deanonymizes the "privacy"-branded reseller behind it, and characterizes a rotating cast of tenants: commodity RAT and botnet families including Remcos, Quasar RAT, NanoCore, NetWire, and AsyncRAT, alongside activity peers have linked to a China-nexus APT. The talk delivers a certificate-clustering methodology, a disciplined approach to attribution under shared-infrastructure conditions, and why covert infrastructure build-out is an early-warning signal most stacks miss.
Seats fill quickly - arrive early.
When & Where:
Wednesday, August 5
4:45 - 5:15 PM
Mandalay Bay K



